Exchange Throttlling Policy Part 2 Google Apps Migrations

Exchange 2007 introduced a feature called RPC Client Throttling to allow administrators to manage end-user performance by preventing client applications, such as Outlook for example, from sending too many Remote Procedure Call [RPC] requests per second to Exchange, causing the server to suffer in terms of performance. When Exchange determines that a client is having a negative effect on the server, it will send a “back-off” request to the client telling it to delay sending any additional requests for a specified time (maximum of 2000 milliseconds) in order to reduce the performance effect on the server.

In Exchange 2010, Client Throttling has been much improved, monitoring and controlling much more than just RPC requests. Its purpose is still to ensure that users are not intentionally or unintentionally straining Exchange and that users share resources proportionally.

There is also Message Throttling in Exchange that restricts the number of messages and the number of connections that can be processed by an Exchange Transport server. In this article we will be talking only about Client Throttling.

Skärmavbild 2013-08-17 kl. 20.24.10

Exchange 2010 server supports client request throttling. This can limit the performance of
GAMME migrations when performing a large number of user migrations. To mitigate this, you
can configure a specific policy to the GAMME Administrator account that exempts it from
throttling.
Follow these steps to create and apply a custom throttling policy.
On the Microsoft Exchange Server, click Start > Microsoft Exchange Server 2010 > Exchange
Management Shell.
In the shell, enter the following:
New-ThrottlingPolicy GAMME -RCAMaxConcurrency $null -RCAPercentTimeInAD $null –RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null

Set-Mailbox “GAMME_Admin” -ThrottlingPolicy GAMME

Advertisements

Google Apps Deployment Specialist – Passed the Exam!

Today i passed my Certification Exam. The Google Apps Certified Deployment Specialist exam certifies IT professionals who demonstrate the fundamental skills and knowledge required to deploy, configure, and migrate to Google Apps for Business and Education. It feels great and i must say it was tough, i studied hard. But i made it and i’m very glad that i put in those hours of studying, it was worth the effort!CERT GOOGLE
Happy guy  in colocation
Karl Wirén

Karl Wirén Google Apps Deployment Specialist in SWEDENsverige-flagga-ikon-72

Migrating from Exchange 2010 to Google Apps Throttling settings

Exchange 2010 server supports client request throttling. This can limit the performance of
GAMME migrations when performing a large number of user migrations.

To mitigate this, you
can configure a specific policy to the GAMME Administrator account that exempts it from
throttling.

THROETE
Follow these steps to create and apply a custom throttling policy.
On the Microsoft Exchange Server, click Start > Microsoft Exchange Server 2010 > Exchange
Management Shell.
In the shell, enter the following:

New-ThrottlingPolicy GAMME -RCAMaxConcurrency $null -RCAPercentTimeInAD $null –
RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null
Type Set-Mailbox “GAMME_Admin” -ThrottlingPolicy GAMME

Set-ThrottlingPolicy –identity “name of your policy” –EWSFindCountLimit 1500

Powershell for Google Apps Migration, good scripts to use

Ok it’s been a long time since i posted something, recently i have been working with migrating from Windows to Google Apps, but that dosen’t mean you won’t be able to use your MS skills 😉

Here is a couple of good powershell script’s i have been forced to use:

Create mailadresses on AD users,

To be able to sync and migrate users to Google Apps you need to provide them with a emailaddress, since that will be their uniqe user ID in GA:

Get-ADUser -LdapFilter '(!mail=*)' -Properties givenName,sn | group {"{0}.{1}@Acme.com" -f $_.givenName,$_.sn} | Foreach { $i = 1 foreach($user in $_.Group) { if($i -eq 1) { $mail = "{0}.{1}@Acme.com" -f $user.givenName,$user.sn } else { $mail = "{0}.{1}{2}@Acme.com" -f $user.givenName,$user.sn,("$i".PadLeft(3,"0")) } $i++ Set-ADUser -Identity $user -EmailAddress $mail.replace(" ","") }
}

Create mailadresses on AD users (but on a certain group):

This is usefull if you are going to migrae a few users to GA and not the whole AD… This script takes the FIrstname and Secondame and fixes if it’s a dobulename, and also if their are more than one user called the same name, it adds 001,002,003 🙂

Get-ADGroupMember -Identity "grupp" | get-aduser -Properties givenname,sn,mail | ?{$_.mail -match '^$'} | group {"{0}.{1}@Acme.com" -f $_.givenName,$_.sn} | Foreach { $i = 1 foreach($user in $_.Group) { if($i -eq 1) { $mail = "{0}.{1}@Acme.com" -f $user.givenName,$user.sn } else { $mail = "{0}.{1}{2}@Acme.com" -f $user.givenName,$user.sn,("$i".PadLeft(3,"0")) } $i++ Set-ADUser -Identity $user -EmailAddress $mail.replace(" ","") } }

Create Mailadresses by the Samaccountname

Some users, you migt wan’t to use theier samaccountname and not their firstname,SN so here is what you type then, and remember this applys to a group aswell:

Get-ADGroupMember -Identity "grupp" | Get-ADUser -Properties samaccountname | Foreach { Set-ADUser -Identity $_ -EmailAddress ("{0}@Acme.com" -f $_.samaccountname}

Find users that do not have a mailadress

This could be good to use, it tells you if any user in your AD does not have anything in the Mail attribute:

Get-ADUser -Filter *  -Properties EmailAddress  | where { $_.EmailAddress -eq  $null }  | sort  | Select Name,EmailAddress

Find users that DO have mailadress attribute

And here is one that tells you the users that do have something in the mail attribute, could be good to use, so you see that no users have a bad mailadress:

Get-ADUser -Filter *  -Properties EmailAddress  | where { $_.EmailAddress -ne  $null }  | sort  | Select Name,EmailAddress

Set random password on AD user 

In many cases when migrating to GA, you will bump in to organisations that have more than 1 AD/domain. If so you should use LDFIDE to export and import users to 1 AD since GADS (google apps directory sync) do only sync from 1 AD. And when you use LDFIDE it does not migrate the users password so here is a good PS script to generate a random password and print it to a CSV file:

Import-Module ActiveDirectory

# Set vars
$WorkingOU = "OU=USERS,OU=MyLAB4,DC=demo,DC=local"
$WorkingFile = "C:\Temp\UserPasswords.txt"
$PassordLength = "12"

# Cleaning up
Clear-Content $WorkingFile -ErrorAction SilentlyContinue

$Users = (Get-ADUser -SearchBase $WorkingOU -Filter *).SamAccountName
ForEach ($User in $Users){
function RandomPassword
{
param (
         [int]$length,
         [string]$pattern # optional
)
$pattern_class = @("T", "O", "F", "S")
$charpool = @{
         "T" = "abcdefghjkmnopqrstuvwxyz";
         "O" = "ABCDEFGHJKLMNOPQRSTUVWXYZ";
         "F" = "123456789";
         "S" = "!@#%&"
}
$rnd = New-Object System.Random
Start-Sleep -milliseconds $rnd.Next(500)
if (!$pattern -or $pattern.length -lt $length) {

         if (!$pattern)
         {
                 $pattern = ""
                 $start = 0
         } else {
                 $start = $pattern.length - 1
         }
         for ($i=$start; $i -lt $length; $i++)
         {
                 $pattern += $pattern_class[$rnd.Next($pattern_class.length)]
         }
         }
         $password = ""
         for ($i=0; $i -lt $length; $i++)
                 {
         $wpool = $charpool[[string]$pattern[$i]]       
         $password += $wpool[$rnd.Next($wpool.length)]
         }                      
         return $password
}
do {
$UserPasswordPlainText = RandomPassword -length $PassordLength
} until ( $UserPasswordPlainText -match '\d' -and
                         $UserPasswordPlainText -match '[a-z]' -and
                         $UserPasswordPlainText -match '[A-Z]' -and
                         $UserPasswordPlainText -match '\W' )

$NewUserPassword = ConvertTo-SecureString $UserPasswordPlainText -AsPlainText –Force
Set-ADAccountPassword -Identity $User -NewPassword $NewUserPassword -Reset
Add-Content -Path $WorkingFile -Value "$User;$UserPasswordPlainText" -Force
# Debug
#Write-Host "User $User password was set to $UserPasswordPlainText"
}

 

Microsoft: User State Virtualization

Problem : Working with roaming profiles, getting corrupted profiles saying “User profile service service failed to logon”? The company’s users are getting upset and angry because they can’t get in and work? Users say it take’s ages to logon, while loading their profiles?

We have experienced that, and today we are changing the User State Virtualization tactics. We will no longer offer central profiles for our users. We will no longer have to reset their corrupted profiles, because we are leaving it!

Today’s scenario :

User with HomeFolder + Central Profile with 30MB area.  What’s in the profile? Well, Outlook signatures, Desktop items, IE favorites, and other Windows settings (Appdata).

Tomorrows scenario :

Users with HomeFolder + NO CENTRAL PROFILE, instead we are going to use Folder-Redirection. This means all of the users content get’s moved to wherever we chose in our group policy with Folder redirection. In this case we are going to use their homefolder. This will give us faster logon, since no central profile will be loaded, it will give the users the possibility to save very large files on their desktop since it’s not bounded to their profiles any more. And it will give the IT department less headache when administrating corrupted central profiles.

Configuration: 

  1. Create a GPO within the domain, with Folder Redirection
  2. Select a group of users witch the GPO will be applied to
  3. Create PowerShell script for removing profiles
  4. Schedule the script
  5. And wait!

1.  The first thing we will do is to create the GPO with folder redirection and Attachment Security, so create the GPO in your domain:

Edit settings and navigate: User Configuration > Windows Settings > Folder Redirection, and edit as followed:

This will create and move the users Central AppData when they login to a new map in their homefolder and redirect it. By using the %HOMESHARE% windows will understand that it should put it in the users homefolder specified on the object in the AD. Do this for all of the objects you would like to get redirected (Desktop,favorites etc).  The next step is optional but you would probably like to configure it, since it’s pain for the end users, this will make items located in the taskbar (pinned items) warn the user that they are opening items from unsafe areas. There are two types of doing this, either way you configure IE settings with GPO or you configure Attachment security policy’s. I will show you how to configure Attachment’s. Navigate to User Configuration > Policies > Administrative Templates > Windows Components > Attachment Manager. Edit the “Inclusion list for low file types” . And set it as followed:

This will make exclusions for the task bar shortcuts. Set:  .exe;.lnk  and save it. 2. Create a group within your domain, this group is linked to the GPO.

Ok so, as soon as the users logon to their computers, the Group Policy will create and move files to the users homefolders. In this example i am applying it to 100 User accounts. I know for certain that they will not sign in the next 10 days, so i set a limit of 30 days. After 30 days i will remove the users profiles. Then i know at least 95% of my users will have logged on at least once. And those who haven’t will get Folder redirection but it won’t move their old files so i will have to do it manually.

3. Create the Powershell script to remove users profiles:

function ProfileWipe([string]$adgroup)

{

if(!$adgroup){$adgroup = Read-Host “AD group name”}
Import-Module ActiveDirectory
get-adgroupmember -identity “No Profile Users” | select samAccountName | foreach {
# select user from AD with default-properties + profilepath och lastlogon
$user = get-aduser $_.samaccountname -properties profilepath, lastlogon
Add-Content “C:\profilepaths.txt” $user.profilepath
set-aduser $_.samaccountname -profilepath $null
}
}

This will get members from the ad group “No Profile Users”. It will remove the profile-path of every user, and it will replace it with “$null”. It will also export a text document of the profile paths so you can Ctrl + F a user if something would go wrong and put it back. Please have in concern that you should not run this script until you know that all of the users specified in the group have been logged on at least once since you activated Folder Redirection.

The last thing we will do is to create a schedule task and a .bat file. Create the .bat and paste:

 powershell.exe -command ProfileWipe No-Profiles

Schedule this to any time you would like. And we are done. This will maybe create other problems than we are experiencing with central profiles, but it’s worth a try and i will come back with feedback.

// Karl